Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are common (and uncommon) unified threat management features?

Unified threat management products have gained popularity because they bring multiple security tools together into one appliance. In this SearchSecurity.com Q&A, Michael Cobb reviews just what those security tools are.

UTM, or unified threat management, is a term used to describe a firewall that combines multiple security features in one appliance. As a minimum, it must have the ability to perform network firewall functions, intrusion detection and prevention, as well as gateway antivirus scanning. Other common features found in UTMs include the filtering and controlling of a wide variety of network communications, such as Web, instant messaging and email traffic. The combination of multiple capabilities allows deep inspection of packets and real-time attack protection from layer two to Layer 7 of the Open System Interconnection (OSI) model. Some devices also offer VPN capabilities.

UTM appliances have quickly gained in popularity, partly because the all-in-one approach simplifies installation, configuration and maintenance. Such a setup saves time, money and people when compared to the management of multiple security systems. Instead of having several single-function appliances, all needing individual familiarity, attention and support, network administrators can centrally administer their security defenses from one box. Also, the multiple functions of UTM appliances have made it easier to convince management to replace older, more basic firewalls that cannot evaluate application-layer traffic.

A more recent UTM feature is the ability to inspect all network traffic, including encoded, compressed, encrypted and wireless traffic. Other newer enhancements include strong authentication controls as well as traffic anomaly detection. UTM's popularity will surely cause vendors to add new defense features. I can see extended log-analysis mechanisms, such as behavioral analysis of network traffic, becoming a common feature soon.

When you are evaluating a UTM, it is important to ensure that the device's different functionalities fulfill all of your security policy requirements. It's also important to make sure that the appliance is easy to use and keep up-to-date. Do not get caught up in the sales and marketing hype that tends to surround a lot of products in this area of network protection.

One drawback of an all-in-one device like a UTM is that it creates a single point of failure on your network. Should the product go down, it can create a major cap in your defensive posture. Good UTMs, however, have failover features that can allow connections to a secondary gateway if the primary one becomes unavailable. Effective UTMs also have plenty of processing power, so production won't be hindered when the devices look for both application-layer and content-based attacks. Some have predicted that purely software-based enterprise UTMs would emerge, but because they need to run on purpose-built security devices with a hardened operating systems designed to handle the role of real-time protection and control, I consider this scenario unlikely.


This was last published in February 2009

Dig Deeper on Information security threats